Policy Store Configuration Files

/etc/selinux/<policy_name>/modules - This is the default for systems that support versions < 2.4 of libsemanage, libsepol, and policycoreutils.

/var/lib/selinux/<policy_name>/modules - This is the default for systems that support versions >= 2.4 of libsemanage, libsepol, and policycoreutils. The base (/var/lib/selinux) may be overridden by the store-root parameter defined in the semanage.conf file. The migration process from previous releases is described at https://github.com/SELinuxProject/selinux/wiki/Policy-Store-Migration. Note that once the policy store migration is complete, these files will no longer exist

Note: There can be multiple policy stores on a system at /etc/selinux/<policy_name>/modules.

The Policy Store files are either installed, updated or built by the semodule(8) and semanage(8) commands as a part of the build process. The resulting files will either be copied over to the Policy Configuration Files area, or used to rebuild the kernel binary policy located at /etc/selinux/<policy_name>/policy.

All files may have comments inserted where each line must have the '#' symbol to indicate the start of a comment.

The command options and outputs shown in the text are based on the current F-20 build.

modules/ Files

The policy store has two lock files that are used by libsemanage for managing the store. Their format is not relevant to policy construction:

semanage.read.LOCK
semanage.trans.LOCK

modules/active/base.pp File

This is the packaged base policy that contains the mandatory modules and policy components such as object classes, permission declarations and initial SIDs.

modules/active/base.linked File

This is only present if the save-linked is set to TRUE as described in the /etc/selinux/semanage.conf section. It contains the modules that have been linked using the semodule_link(8) command.

modules/active/commit_num File

This is a binary file used by libsemanage for managing updates to the store. The format is not relevant to policy construction.

modules/active/file_contexts.template File

This contains a copy all the modules 'Labeling Policy File' entries (e.g. the <module_name>.fc files) that have been extracted from the base.pp and the loadable modules in the modules/active/modules directory.

Note that as a part of the semanage build process, these two files will also have file_contexts.bin and file_contexts.homedirs.bin files present in the Policy Configuration Filescontexts/files directory. This is because semanage requires these in the Perl compatible regular expression (PCRE) internal format. They are generated by the sefcontext_compile(8) utility.

The homedir_template and file_contexts files are built is as follows:

homedir_template - Any line in the file_contexts.template file that has the keywords HOME_ROOT, HOME_DIR and/or USER are extracted and added to the homedir_template file. This is because these keywords are used to identify entries that are associated to a users home directory area. These lines may also have the ROLE keyword declared.

The homedir_template file will then be processed by genhomedircon(8)[1] to generate individual SELinux user entries in the file_contexts.homedirs file as discussed in the modules/active/file_contexts.homedirs section.

These are examples of one line being processed as described above, taken from the F-20 targeted policy:

The master file_contexts.template entry:

HOME_DIR\/.wine(/.*)? system_u:object_r:wine_home_t:s0

The homedir_template entry is created as:

HOME_DIR\/.wine(/.*)? system_u:object_r:wine_home_t:s0

The file_contexts.homedirs entries are created by genhomedircon for the SELinux users extracted from the seusers file as follows:

# Home Context for any Linux user that is assigned
# the SELinux user unconfined_u
/home/[^/]*/\.wine(/.*)? unconfined_u:object_r:wine_home_t:s0
# Home Context for user root
/root/\.wine(/.*)? unconfined_u:object_r:wine_home_t:s0

file_contexts - All other lines are extracted and added to the file_contexts file as they are files not associated to a users home directory.

The format of the file_contexts.template file is as follows:

Each line within the file consists of the following:

pathname_regexp [file_type] opt_security_context

Where:

pathname_regexp

An entry that defines the pathname that may be in the form of a regular expression.

The metacharacters '^' (match beginning of line) and '$' (match end of line) are automatically added to the expression by the routines that process this file, however they can be over-ridden by using '.*' at either the beginning or end of the expression (see the example file_contexts files below).

There are also keywords of HOME_ROOT, HOME_DIR, ROLE and USER that are used by file labeling commands (see the keyword definitions below and the modules/active/homedir_template file section for their usage).

file_type

One of the following optional file_type entries (note if blank means "all file types"):

'-b' - Block Device '-c' - Character Device

'-d' - Directory '-p' - Named Pipe (FIFO)

'-l' - Symbolic Link '-s' - Socket File

'--' - Ordinary file

By convention this entry is known as 'file type', however it really represents the 'file object class'.

opt_security_context

This entry can be either:

The security context, including the MLS / MCS level or range if applicable that will be assigned to the file.

A value of <<none>> can be used to indicate that matching files should not be re-labeled.

Keywords that can be in the file_contexts.template file are:

HOME_ROOT

This keyword is replaced by the GNU / Linux users root home directory, normally '/home' is the default.

HOME_DIR

This keyword is replaced by the GNU / Linux users home directory, normally '/home/' is the default.

USER

This keyword will be replaced by the users GNU / Linux user id.

ROLE

This keyword is replaced by the 'prefix' entry from the users_extra configuration file that corresponds to the SELinux users user id. Example users_extra configuration file entries are:

user user_u prefix user;
user staff_u prefix staff;

It is used for files and directories within the users home directory area.

The file can be built by the genhomedircon command (that just calls /usr/sbin/semodule -Bn) or if using semanage with user or login options to manage users, where it is called automatically as it is now a libsepol library function.

The file_contexts.homedirs file has the same per line format as the modules/active/file_contexts.template file, however the HOME_DIR, ROOT_DIR, ROLE and USER keywords will be replaced as explained in the keyword definitions section above.

modules/active/netfilter_contexts & netfilter.local File

These files are not used at present. There is code to produce a netfilter_contexts file for use by the GNU/Linux iptables service[2] in the Reference Policy that would generate a file similar to the example below, however there seems much debate on how they should be managed (see bug 201573 - Secmark iptables integration for details).

modules/active/policy.kern File

This is the binary policy file built by either the semanage(8) or semodule(8) commands (depending on the configuration action), that then becomes the binary policy to be loaded into the kernel.

modules/active/seusers.final and seusers Files

The seusers.final file maps GNU / Linux users to SELinux users and becomes the policies seusers[3] file as discussed in the seusers section. The seusers.final file is built or modified when:

Building a policy where an optional seusers file has been included in the base package via the semodule_package(8) command (signified by the -s flag) as follows[4]:

semodule_package -o base.pp -m base.mod -s seusers ...

The seusers file would be extracted by the subsequent semodule command when building the policy to produce the seusers.final file.

The semanage login command is used to map GNU / Linux users to SELinux users as follows:

semanage login -a -s staff_u rch

This action will update the seusers file that would then be used to produce the seusers.final file with both policy and locally defined user mapping.

It is also possible to associate a GNU / Linux group of users to an SELinux user as follows:

semanage login -a -s staff_u %staff_group

The format of the seusers.final & seusers files are as follows:

[%]user_id:seuser_id[:range]

Where:

user_id

Where user_id is the GNU / Linux user identity. If this is a GNU / Linux group_id then it will be preceded with the '%' sign as shown in the example below.

modules/active/users_extra, users_extra.local and users.local Files

These three files work together to describe SELinux user information as follows:

The users_extra and users_extra.local files are used to map a prefix to users home directories as discussed in the modules/active/file_contexts.template file section, where it is used to replace the ROLE keyword. The prefix is linked to an SELinux user id and should reflect the users role. The semanage user command will allow a prefix to be added via the -P flag (although no longer used by policies as discussed in the modules/active/file_contexts.template file section).

The users_extra file contains all the policy prefix entries, and the users_extra.local file contains those generated by the semanage user command.

The users_extra file can optionally be included in the base package via the semodule_package(8) command (signified by the -u flag) as follows[5]:

semodule_package -o base.pp -m base.mod -u users_extra ...

The users_extra file would then be extracted by a subsequent semodule command when building the policy.

The users.local file is used to add new SELinux users to the policy without editing the policy source itself (with each line in the file following a policy language user statement section). This is useful when only the Reference Policy headers are installed and additional users need to added. The semanage user command will allow a new SELinux user to be added that would generate the user.local file and if a -P flag has been specified, then a users_extra.local file is also updated (note: if this is a new SELinux user and a prefix is not specified a default prefix of user is generated).

The sections that follow will:

Define the format and show example users_extra and users_extra.local files.

Execute an semanage user command that will add a new SELinux user and associated prefix, and show the resulting users_extra, users_extra.local and users.local files.

Note that each line of the users.local file contains a user statement that is defined in the policy language user statement section, and will be built into the policy via the semanage command.

The format of the users_extra & users_extra.local files are as follows:

user seuser_id prefix prefix_id;

Where:

user

The user keyword.

seuser_id

The SELinux user identity.

prefix

The prefix keyword.

prefix_id

An identifier that will be used to replace the ROLE keyword within the modules/active/homedir_template file when building the ./modules/active/file_contexts.homedirs file for the relabeling utilities to set the security context on users home directories.

modules/active/booleans.local File

This file is created and updated by the semanage boolean command and holds boolean value as requested.

Example semanage boolean command to modify a boolean value:

# This command will add an entry in the booleans.local
# file and set the boolean value to 'off':
semanage boolean -m -0 ext_gateway_audit

The resulting booleans.local file would be:

# modules/active/booleans.local
ext_gateway_audit=0

modules/active/file_contexts.local File

This file is created and updated by the semanage fcontext command. It is used to hold file context information on files and directories that were not delivered by the core policy (i.e. they are not defined in any of the *.fc files delivered in the base and loadable modules).

The semanage command will add the information to the policy stores file_contexts.local file and then copy this file to the ./contexts/files/file_contexts.local file, where it will be used when the file context utilities are run.

# This command will add an entry in the file_contexts.local file:
semanage fcontext -a -t user_t /usr/move_file
# Note that the type (-t flag) must exist in the policy
# otherwise the command will fail.

modules/active/interfaces.local File

This file is created and updated by the semanage interface command to hold network interface information that was not delivered by the core policy (i.e. they are not defined in base.conf file). The new interface information is then built into the policy by the semanage(8) command.

Each line of the file contains a netifcon statement that is defined along with examples in the netifcon statement section.

modules/active/nodes.local File

This file is created and updated by the semanage node command to hold network address information that was not delivered by the core policy (i.e. they are not defined in base.conf file). The new node information is then built into the policy by the semanage(8) command.

Each line of the file contains a nodecon statement that is defined along with examples in the policy language nodecon statement section.

modules/active/ports.local File

This file is created and updated by the semanage port command to hold network port information that was not delivered by the core policy (i.e. they are not defined in base.conf file). The new port information is then built into the policy by the semanage(8) command.

Each line of the file contains a portcon statement that is defined along with examples in the policy language portcon statement section.

modules/active/preserve_tunables File

This file will only exist if the policy build specified that tunables should be preserved, if so they would be converted to booleans by the policy build process.

modules/active/disable_dontaudit File

This file will only exist if the policy build specified that dontaudit rules should be disabled.

modules/active/modules Directory Contents

This directory contains loadable modules (<module_name>.pp or when disabled <module_name>.pp.disabled) that have been built by the semodule_package command and placed in the store by the semodule or semanage module -a commands as shown in the following example:

The modules within the policy store may be compressed or not depending on the value of the bzip-blocksize parameter in the semanage.conf file. The modules and their status can be listed using the semanage module -l command as shown below.

↑Many seusers make confusion: The modules/active/seusers file is used to hold initial seusers entries, the modules/active/seusers.final file holds the complete entries that then becomes the policy seusers file.